HP StorageWorks Fabric OS 6.1.1 administrator guide (5697-0235, December 2009)
Fabric OS 6.1.1 administrator guide 69
To enable the admin lockout policy:
1. Log in to the switch using an admin or securityAdmin account.
2. Issue the following command:
passwdCfg --enableadminlockout
The policy is now enabled.
To unlock an account:
1. Log in to the switch using an admin or securityAdmin account.
2. Issue the following command:
userConfig --change <account_name> -u
where <account_name> is the name of the user account that is locked out.
To disable the admin lockout policy:
1. Log in to the switch using an admin or securityAdmin account.
2. Issue the following command:
passwdCfg --disableadminlockout
The policy is now disabled.
Denial of service implications
The account lockout mechanism may be used to create a denial of service condition by repeatedly
attempting to log in to an account using an incorrect password. Selected privileged accounts are exempted
from the account lockout policy to prevent them from being locked out from a denial of service attack.
However, these privileged accounts may then become the target of password guessing attacks. Audit logs
may be examined to monitor whether such attacks are attempted.
Authentication model
Fabric OS 6.0.0 and later supports the use of both the local user database and the RADIUS service at the
same time; and the local user database and LDAP using Microsoft’s Active Directory in Windows at the
same time. Table 12 on page 70.
When configured to use RADIUS or LDAP, the switch acts as a network access server (NAS) and RADIUS
or LDAP client. The switch sends all authentication, authorization, and accounting (AAA) service requests to
the RADIUS or LDAP server. The RADIUS or LDAP server receives the request, validates the request, and
sends its response back to the switch.
The supported management access channels that integrate with RADIUS and LDAP include serial port,
Telnet, SSH, Web Tools, and API. All these require the switch IP address or name to connect. The RADIUS
server accepts only an IPv4 address.
A switch can be configured to try both RADIUS or LDAP and local switch authentication.
For systems such as the HP 4/256 SAN Director and DC SAN Backbone Director (DC Director), the switch
IP addresses are aliases of the physical Ethernet interfaces on the CP blades. When specifying client IP
addresses for the logical switches in such systems, make sure the CP IP addresses are used. For accessing
both the active and standby CP, and for the purpose of HA failover, both CP IP addresses of a Director
should be included in the RADIUS or LDAP server configuration.
When configured for RADIUS or LDAP, a switch becomes a RADIUS or LDAP client. In either of these
configurations, authentication records are stored in the RADIUS or LDAP host server database. Login and
logout account name, assigned role, and time-accounting records are also stored on the RADIUS or LDAP
server for each user.
By default, the RADIUS and LDAP services are disabled, so AAA services default to the switch local
database.
To enable RADIUS or LDAP service, it is strongly recommended that you access the CLI through an SSH
connection so that the shared secret is protected. Multiple login sessions can configure simultaneously, and
the last session to apply a change leaves its configuration in effect. After a configuration is applied, it
persists after a reboot or an HA failover.